Merge pull request #829 from andrewstuart/master

Add parsing of pkcs#8-encoded bundles for pki/config/ca
2026-06-09 08:55:13 -04:00 · 2015-12-22 10:06:59 -05:00 · 2015-12-22 10:06:59 -05:00 · 69a2d7b8cc
commit 69a2d7b8cc
parent 190a6f8e2c fea21d9c08
3 changed files with 220 additions and 73 deletions
--- a/helper/certutil/certutil_test.go
+++ b/helper/certutil/certutil_test.go
@ -18,18 +18,23 @@ import (
 func TestCertBundleConversion(t *testing.T) {
 	cbuts := []*CertBundle{
 		refreshRSACertBundle(),
+		refreshRSA8CertBundle(),
 		refreshECCertBundle(),
+		refreshEC8CertBundle(),
 	}

-	for _, cbut := range cbuts {
+	for i, cbut := range cbuts {
 		pcbut, err := cbut.ToParsedCertBundle()
 		if err != nil {
-			t.Fatalf("Error converting to parsed cert bundle: %s", err)
+			t.Logf("Error occurred with bundle %d in test array (index %d).\n", i+1, i)
+			t.Errorf("Error converting to parsed cert bundle: %s", err)
+			continue
 		}

 		err = compareCertBundleToParsedCertBundle(cbut, pcbut)
 		if err != nil {
-			t.Fatalf(err.Error())
+			t.Logf("Error occurred with bundle %d in test array (index %d).\n", i+1, i)
+			t.Errorf(err.Error())
 		}

 		cbut, err := pcbut.ToCertBundle()
@ -44,6 +49,31 @@ func TestCertBundleConversion(t *testing.T) {
 	}
 }

+func BenchmarkCertBundleParsing(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		cbuts := []*CertBundle{
+			refreshRSACertBundle(),
+			refreshRSA8CertBundle(),
+			refreshECCertBundle(),
+			refreshEC8CertBundle(),
+		}
+
+		for i, cbut := range cbuts {
+			pcbut, err := cbut.ToParsedCertBundle()
+			if err != nil {
+				b.Logf("Error occurred with bundle %d in test array (index %d).\n", i+1, i)
+				b.Errorf("Error converting to parsed cert bundle: %s", err)
+				continue
+			}
+
+			cbut, err = pcbut.ToCertBundle()
+			if err != nil {
+				b.Fatalf("Error converting to cert bundle: %s", err)
+			}
+		}
+	}
+}
+
 func TestCertBundleParsing(t *testing.T) {
 	jsonBundle := refreshRSACertBundle()
 	jsonString, err := json.Marshal(jsonBundle)
@ -106,11 +136,19 @@ func compareCertBundleToParsedCertBundle(cbut *CertBundle, pcbut *ParsedCertBund
 	switch cbut.PrivateKey {
 	case privRSAKeyPem:
 		if pcbut.PrivateKeyType != RSAPrivateKey {
-			return fmt.Errorf("Parsed bundle has wrong private key type")
+			return fmt.Errorf("Parsed bundle has wrong private key type: %v, should be 'rsa' (%v)", pcbut.PrivateKeyType, RSAPrivateKey)
+		}
+	case privRSA8KeyPem:
+		if pcbut.PrivateKeyType != RSAPrivateKey {
+			return fmt.Errorf("Parsed bundle has wrong pkcs8 private key type: %v, should be 'rsa' (%v)", pcbut.PrivateKeyType, RSAPrivateKey)
 		}
 	case privECKeyPem:
 		if pcbut.PrivateKeyType != ECPrivateKey {
-			return fmt.Errorf("Parsed bundle has wrong private key type")
+			return fmt.Errorf("Parsed bundle has wrong private key type: %v, should be 'ec' (%v)", pcbut.PrivateKeyType, ECPrivateKey)
+		}
+	case privEC8KeyPem:
+		if pcbut.PrivateKeyType != ECPrivateKey {
+			return fmt.Errorf("Parsed bundle has wrong pkcs8 private key type: %v, should be 'ec' (%v)", pcbut.PrivateKeyType, ECPrivateKey)
 		}
 	default:
 		return fmt.Errorf("Parsed bundle has unknown private key type")
@ -138,23 +176,17 @@ func compareCertBundleToParsedCertBundle(cbut *CertBundle, pcbut *ParsedCertBund
 		return fmt.Errorf("Bundle has nil issuing CA")
 	}

-	switch cb.PrivateKeyType {
-	case "rsa":
-		if pcbut.PrivateKeyType != RSAPrivateKey {
-			return fmt.Errorf("Bundle has wrong private key type")
-		}
-		if cb.PrivateKey != privRSAKeyPem {
+	switch pcbut.PrivateKeyType {
+	case RSAPrivateKey:
+		if cb.PrivateKey != privRSAKeyPem && cb.PrivateKey != privRSA8KeyPem {
 			return fmt.Errorf("Bundle private key does not match")
 		}
-	case "ec":
-		if pcbut.PrivateKeyType != ECPrivateKey {
-			return fmt.Errorf("Bundle has wrong private key type")
-		}
-		if cb.PrivateKey != privECKeyPem {
+	case ECPrivateKey:
+		if cb.PrivateKey != privECKeyPem && cb.PrivateKey != privEC8KeyPem {
 			return fmt.Errorf("Bundle private key does not match")
 		}
 	default:
-		return fmt.Errorf("Bundle has unknown private key type")
+		return fmt.Errorf("CertBundle has unknown private key type")
 	}

 	if cb.SerialNumber != GetOctalFormatted(pcbut.Certificate.SerialNumber.Bytes(), ":") {
@ -326,6 +358,14 @@ func TestTLSConfig(t *testing.T) {
 	}
 }

+func refreshRSA8CertBundle() *CertBundle {
+	return &CertBundle{
+		Certificate: certRSAPem,
+		PrivateKey:  privRSA8KeyPem,
+		IssuingCA:   issuingCaPem,
+	}
+}
+
 func refreshRSACertBundle() *CertBundle {
 	ret := &CertBundle{
 		Certificate: certRSAPem,
@ -360,7 +400,44 @@ func refreshECCSRBundle() *CSRBundle {
 	return ret
 }

+func refreshEC8CertBundle() *CertBundle {
+	return &CertBundle{
+		Certificate: certECPem,
+		PrivateKey:  privEC8KeyPem,
+		IssuingCA:   issuingCaPem,
+	}
+}
+
 const (
+	privRSA8KeyPem = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3dklRrO0JGJWD
+zs/TLxPtAw0VCLrUEJIgp6nFddZzvOLkklIx9ACy1ckSoFiJKGxKlibqyiJPqFfT
+vi3vBAAcZLf67uo2iBamZMBRNSc0gz5ALEfY1z+TNjFpZqO6lXOAa8t6KpTd3i0h
+ST9mR+29YmvKvaFlzzMQ3cLikZL/YX5FD7M6/4GkAjUF1tAaEXub3a+fopL+Jayq
+bAcb2gKGC9Z4EeNZQjyoZq4Fz6K3hLlHF83wkkgFdQhm1tqoVnOCO/yRQPKqhAa+
+Rj/gJ7UrRsUmwzvCYw+/7lCxwgEXgpaA3SRNIw89d+ef9AgB+FphCRP0yPAavr4H
+dI4M0YJNAgMBAAECggEAe1LCGmsZs2GZL88XmKguxsWkR51kqSSydcz+rEN38rjn
+9Cn/oqCYz54x2Zl7qkdH9CNW6cESq2VIFIfkrKSNxohVvBJZ0mpMf3F+bZhDUGNg
+txaM/VBD5hspv+ZE7SmFSLAtSWPSSgoNYDCys3hqcUH1n4U1NxC/DPllBZRBsfSd
+5C1Y7WcO8uxJyC7WRyGgTMkQloU5DX4d8Z5bEPvrp9nKplCLn5wuuE6oc4ZKU74g
+VV7SGC6IQcWv0sQ9NdeRm05HjBN/uPVSzyzUpD+O/TWzH1LscRtkm6vMiNLbc7LA
+RR0l3USwgTaUlXZBTBKICw9hk5JBmWA4bM9VEpWQaQKBgQDW76lU/av7FLFjLwpx
+1xEJ0YYGHTRUvHXIlEdZnliMXnqGnRHRwb7EYtqvkoJ0GmviMmdAYivHyXDdIMK3
+gReXGAnGK1eUG2IoHIzv+ZhFF9RGv1YxGvjzwZCVYNujZdqWe5pzSqWQWpUiDQFp
+b5nXkD8TUvr1pTFpHSjOUD0mXwKBgQDag0DkXai2rOj141i5w0COKFWEBN3XUMQJ
+C9shCn/RsQl7RmefOr9AgYg5VqkLRUoYHAE/kO4svU/+dM+OMT9mGMW6Ew0zk/ML
+qhsCMGH6AKlz5z7bVB6u/tEpROLawZPNEe6WlxxEN+4XxuHMPqUCjnQWlKY8T+i9
+nNv34ixe0wKBgFWdR0z0cqHjvzjrzvRDn6TSkdkzntm17BDGh5k6Crl3FMU0IZn0
+28EsQ0G2UUJgF+MVAq3RrPC627spRoaD5FqqF5KZRxxWwAWMQdOBD1dOQ58erf2H
+aezmiGoIF9UBSE2y1HXiIQrcGhVjKtHNw3DrI0TWQ+K/N2xQUiXELmdvAoGANRSN
+PuxBf56hOJnxg66aj+3cWCWWfidwd4IZyPzz78xBsWB464Up0FGm9cbHaaV7SkAD
+TZ23Pcb/F6DoinIMJJD/9yOJoW3fLIY16WI3arOedjlGW6Ejkv7zcEL7mIhNjxM8
+EfjDNQ8hF0WItETDcMuKB7I0b5I5x1XDWYPno2ECgYEAsWHewaSG8+Ij8b+L/m0Z
+lUD91L/gNVc6gdbjf5kMdYTCqI3q9N/9VWJyb7yRx8tjUTl9J//h7uYhCrujmpWf
+1jcdaxqNLUUV7OcmM+PglprUe96A1zJwDOxc5DvHLbf/zBS6mA14PWYV1IUJdDdR
+52wm5UEewSU9zlbvirgXj4U=
+-----END PRIVATE KEY-----`
+
 	privRSAKeyPem = `-----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEAt3ZJUaztCRiVg87P0y8T7QMNFQi61BCSIKepxXXWc7zi5JJS
 MfQAstXJEqBYiShsSpYm6soiT6hX074t7wQAHGS3+u7qNogWpmTAUTUnNIM+QCxH
@ -445,6 +522,12 @@ wvvgOeCBovN3tSuGKzTiUKAAMAoGCCqGSM49BAMCAz8AMDwCHFap/5XDuqtXCG1g
 ljbYH5OWGBqGYCfL2k2+/6cCHAuk1bmOkGx7JAq/fSPd09i0DQIqUu7WHQHms48=
 -----END CERTIFICATE REQUEST-----`

+	privEC8KeyPem = `-----BEGIN PRIVATE KEY-----
+MHgCAQAwEAYHKoZIzj0CAQYFK4EEACEEYTBfAgEBBBzN57mC5a72sATfYRlXLvZq
+WghK+yzHuOGu6EDsoTwDOgAEwWd1V8ARPaHkkRKTOW9uT1ulori2+BF1qSmco4+e
+dkGCmHu0AbhnvcL74DnggaLzd7Urhis04lA=
+-----END PRIVATE KEY-----`
+
 	certECPem = `-----BEGIN CERTIFICATE-----
 MIIDJDCCAg6gAwIBAgIUM3J02tw0ZvpHUVHv6t8kcoft2/MwCwYJKoZIhvcNAQEL
 MBsxGTAXBgNVBAMMEFZhdWx0IFRlc3RpbmcgQ0EwHhcNMTUwNjE5MTcyODQyWhcN
--- a/helper/certutil/helpers.go
+++ b/helper/certutil/helpers.go
@ -123,6 +123,7 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 			if parsedBundle.PrivateKeyType != UnknownPrivateKey {
 				return nil, UserError{"more than one private key given; provide only one private key in the bundle"}
 			}
+			parsedBundle.PrivateKeyFormat = ECBlock
 			parsedBundle.PrivateKeyType = ECPrivateKey
 			parsedBundle.PrivateKeyBytes = pemBlock.Bytes
 			parsedBundle.PrivateKey = signer
@ -132,9 +133,25 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 				return nil, UserError{"more than one private key given; provide only one private key in the bundle"}
 			}
 			parsedBundle.PrivateKeyType = RSAPrivateKey
+			parsedBundle.PrivateKeyFormat = PKCS1Block
 			parsedBundle.PrivateKeyBytes = pemBlock.Bytes
 			parsedBundle.PrivateKey = signer
+		} else if signer, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes); err == nil {
+			parsedBundle.PrivateKeyFormat = PKCS8Block

+			if parsedBundle.PrivateKeyType != UnknownPrivateKey {
+				return nil, UserError{"More than one private key given; provide only one private key in the bundle"}
+			}
+			switch signer := signer.(type) {
+			case *rsa.PrivateKey:
+				parsedBundle.PrivateKey = signer
+				parsedBundle.PrivateKeyType = RSAPrivateKey
+				parsedBundle.PrivateKeyBytes = pemBlock.Bytes
+			case *ecdsa.PrivateKey:
+				parsedBundle.PrivateKey = signer
+				parsedBundle.PrivateKeyType = ECPrivateKey
+				parsedBundle.PrivateKeyBytes = pemBlock.Bytes
+			}
 		} else if certificates, err := x509.ParseCertificates(pemBlock.Bytes); err == nil {
 			switch len(certificates) {
 			case 0:
@ -186,7 +203,7 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 // GeneratePrivateKey generates a private key with the specified type and key bits
 func GeneratePrivateKey(keyType string, keyBits int, container ParsedPrivateKeyContainer) error {
 	var err error
-	var privateKeyType int
+	var privateKeyType PrivateKeyType
 	var privateKeyBytes []byte
 	var privateKey crypto.Signer

--- a/helper/certutil/types.go
+++ b/helper/certutil/types.go
@ -3,13 +3,13 @@
 // includes helpers for converting a certificate/private key bundle
 // between DER and PEM, printing certificate serial numbers, and more.
 //
-// Functionality specific to the PKI backend includes some types
-// and helper methods to make requesting certificates from the
-// backend easy.
+// Functionality specific to the PKI backend includes some types // and helper methods to make requesting certificates from the // backend easy.
 package certutil

 import (
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
@ -23,15 +23,16 @@ type Secret struct {
 	Data map[string]interface{} `json:"data"`
 }

-// The type of of the Private Key referenced in CertBundle
-// and ParsedCertBundle. This uses colloquial names rather than
-// official names, to eliminate confusion
-type PrivateKeyType int
+// PrivateKeyType holds a string representation of the type of private key (ec
+// or rsa) referenced in CertBundle and ParsedCertBundle. This uses colloquial
+// names rather than official names, to eliminate confusion
+type PrivateKeyType string

+//Well-known PrivateKeyTypes
 const (
-	UnknownPrivateKey = iota
-	RSAPrivateKey
-	ECPrivateKey
+	UnknownPrivateKey PrivateKeyType = ""
+	RSAPrivateKey     PrivateKeyType = "rsa"
+	ECPrivateKey      PrivateKeyType = "ec"
 )

 // TLSUsage controls whether the intended usage of a *tls.Config
@ -39,12 +40,23 @@ const (
 // client use, or both, which affects which values are set
 type TLSUsage int

+//Well-known TLSUsage types
 const (
 	TLSUnknown TLSUsage = 0
 	TLSServer  TLSUsage = 1 << iota
 	TLSClient
 )

+//BlockType indicates the serialization format of the key
+type BlockType string
+
+//Well-known formats
+const (
+	PKCS1Block BlockType = "RSA PRIVATE KEY"
+	PKCS8Block BlockType = "PRIVATE KEY"
+	ECBlock    BlockType = "EC PRIVATE KEY"
+)
+
 // UserError represents an error generated due to invalid user input
 type UserError struct {
 	Err string
@ -64,26 +76,27 @@ func (e InternalError) Error() string {
 	return e.Err
 }

-// Used to allow common key setting for certs and CSRs
+//ParsedPrivateKeyContainer allows common key setting for certs and CSRs
 type ParsedPrivateKeyContainer interface {
-	SetParsedPrivateKey(crypto.Signer, int, []byte)
+	SetParsedPrivateKey(crypto.Signer, PrivateKeyType, []byte)
 }

 // CertBundle contains a key type, a PEM-encoded private key,
 // a PEM-encoded certificate, and a string-encoded serial number,
 // returned from a successful Issue request
 type CertBundle struct {
-	PrivateKeyType string `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"`
-	Certificate    string `json:"certificate" structs:"certificate" mapstructure:"certificate"`
-	IssuingCA      string `json:"issuing_ca" structs:"issuing_ca" mapstructure:"issuing_ca"`
-	PrivateKey     string `json:"private_key" structs:"private_key" mapstructure:"private_key"`
-	SerialNumber   string `json:"serial_number" structs:"serial_number" mapstructure:"serial_number"`
+	PrivateKeyType PrivateKeyType `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"`
+	Certificate    string         `json:"certificate" structs:"certificate" mapstructure:"certificate"`
+	IssuingCA      string         `json:"issuing_ca" structs:"issuing_ca" mapstructure:"issuing_ca"`
+	PrivateKey     string         `json:"private_key" structs:"private_key" mapstructure:"private_key"`
+	SerialNumber   string         `json:"serial_number" structs:"serial_number" mapstructure:"serial_number"`
 }

 // ParsedCertBundle contains a key type, a DER-encoded private key,
 // and a DER-encoded certificate
 type ParsedCertBundle struct {
-	PrivateKeyType   int
+	PrivateKeyType   PrivateKeyType
+	PrivateKeyFormat BlockType
 	PrivateKeyBytes  []byte
 	PrivateKey       crypto.Signer
 	IssuingCABytes   []byte
@ -95,15 +108,15 @@ type ParsedCertBundle struct {
 // CSRBundle contains a key type, a PEM-encoded private key,
 // and a PEM-encoded CSR
 type CSRBundle struct {
-	PrivateKeyType string `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"`
-	CSR            string `json:"csr" structs:"csr" mapstructure:"csr"`
-	PrivateKey     string `json:"private_key" structs:"private_key" mapstructure:"private_key"`
+	PrivateKeyType PrivateKeyType `json:"private_key_type" structs:"private_key_type" mapstructure:"private_key_type"`
+	CSR            string         `json:"csr" structs:"csr" mapstructure:"csr"`
+	PrivateKey     string         `json:"private_key" structs:"private_key" mapstructure:"private_key"`
 }

 // ParsedCSRBundle contains a key type, a DER-encoded private key,
 // and a DER-encoded certificate request
 type ParsedCSRBundle struct {
-	PrivateKeyType  int
+	PrivateKeyType  PrivateKeyType
 	PrivateKeyBytes []byte
 	PrivateKey      crypto.Signer
 	CSRBytes        []byte
@ -122,24 +135,29 @@ func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) {
 		if pemBlock == nil {
 			return nil, UserError{"Error decoding private key from cert bundle"}
 		}
-		result.PrivateKeyBytes = pemBlock.Bytes

-		switch c.PrivateKeyType {
-		case "ec":
-			result.PrivateKeyType = ECPrivateKey
-		case "rsa":
-			result.PrivateKeyType = RSAPrivateKey
-		default:
-			// Try to figure it out and correct
-			if _, err := x509.ParseECPrivateKey(pemBlock.Bytes); err == nil {
-				result.PrivateKeyType = ECPrivateKey
-				c.PrivateKeyType = "ec"
-			} else if _, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes); err == nil {
-				result.PrivateKeyType = RSAPrivateKey
-				c.PrivateKeyType = "rsa"
-			} else {
-				return nil, UserError{fmt.Sprintf("Unknown private key type in bundle: %s", c.PrivateKeyType)}
+		result.PrivateKeyBytes = pemBlock.Bytes
+		result.PrivateKeyFormat = BlockType(strings.TrimSpace(pemBlock.Type))
+
+		switch result.PrivateKeyFormat {
+		case ECBlock:
+			result.PrivateKeyType, c.PrivateKeyType = ECPrivateKey, ECPrivateKey
+		case PKCS1Block:
+			c.PrivateKeyType, result.PrivateKeyType = RSAPrivateKey, RSAPrivateKey
+		case PKCS8Block:
+			t, err := getPKCS8Type(pemBlock.Bytes)
+			if err != nil {
+				return nil, UserError{fmt.Sprintf("Error getting key type from pkcs#8: %v", err)}
 			}
+			result.PrivateKeyType = t
+			switch t {
+			case ECPrivateKey:
+				c.PrivateKeyType = ECPrivateKey
+			case RSAPrivateKey:
+				c.PrivateKeyType = RSAPrivateKey
+			}
+		default:
+			return nil, UserError{fmt.Sprintf("Unsupported key block type: %s", pemBlock.Type)}
 		}

 		result.PrivateKey, err = result.getSigner()
@ -202,17 +220,20 @@ func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error) {
 	}

 	if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 {
+		block.Type = string(p.PrivateKeyFormat)
 		block.Bytes = p.PrivateKeyBytes
-		switch p.PrivateKeyType {
-		case RSAPrivateKey:
-			result.PrivateKeyType = "rsa"
-			block.Type = "RSA PRIVATE KEY"
-		case ECPrivateKey:
-			result.PrivateKeyType = "ec"
-			block.Type = "EC PRIVATE KEY"
-		default:
-			return nil, InternalError{"Could not determine private key type when creating block"}
+		result.PrivateKeyType = p.PrivateKeyType
+
+		//Handle bundle not parsed by us
+		if block.Type == "" {
+			switch p.PrivateKeyType {
+			case ECPrivateKey:
+				block.Type = string(ECBlock)
+			case RSAPrivateKey:
+				block.Type = string(PKCS1Block)
+			}
 		}
+
 		result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
 	}

@ -231,19 +252,29 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) {
 		return nil, UserError{"Given parsed cert bundle does not have private key information"}
 	}

-	switch p.PrivateKeyType {
-	case ECPrivateKey:
+	switch p.PrivateKeyFormat {
+	case ECBlock:
 		signer, err = x509.ParseECPrivateKey(p.PrivateKeyBytes)
 		if err != nil {
 			return nil, UserError{fmt.Sprintf("Unable to parse CA's private EC key: %s", err)}
 		}

-	case RSAPrivateKey:
+	case PKCS1Block:
 		signer, err = x509.ParsePKCS1PrivateKey(p.PrivateKeyBytes)
 		if err != nil {
 			return nil, UserError{fmt.Sprintf("Unable to parse CA's private RSA key: %s", err)}
 		}

+	case PKCS8Block:
+		if k, err := x509.ParsePKCS8PrivateKey(p.PrivateKeyBytes); err == nil {
+			switch k := k.(type) {
+			case *rsa.PrivateKey, *ecdsa.PrivateKey:
+				return k.(crypto.Signer), nil
+			default:
+				return nil, UserError{"Found unknown private key type in pkcs#8 wrapping"}
+			}
+		}
+		return nil, UserError{fmt.Sprintf("Failed to parse pkcs#8 key: %v", err)}
 	default:
 		return nil, UserError{"Unable to determine type of private key; only RSA and EC are supported"}
 	}
@ -251,12 +282,28 @@ func (p *ParsedCertBundle) getSigner() (crypto.Signer, error) {
 }

 // SetParsedPrivateKey sets the private key parameters on the bundle
-func (p *ParsedCertBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType int, privateKeyBytes []byte) {
+func (p *ParsedCertBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, privateKeyBytes []byte) {
 	p.PrivateKey = privateKey
 	p.PrivateKeyType = privateKeyType
 	p.PrivateKeyBytes = privateKeyBytes
 }

+func getPKCS8Type(bs []byte) (PrivateKeyType, error) {
+	k, err := x509.ParsePKCS8PrivateKey(bs)
+	if err != nil {
+		return UnknownPrivateKey, UserError{fmt.Sprintf("Failed to parse pkcs#8 key: %v", err)}
+	}
+
+	switch k.(type) {
+	case *ecdsa.PrivateKey:
+		return ECPrivateKey, nil
+	case *rsa.PrivateKey:
+		return RSAPrivateKey, nil
+	default:
+		return UnknownPrivateKey, UserError{"Found unknown private key type in pkcs#8 wrapping"}
+	}
+}
+
 // ToParsedCSRBundle converts a string-based CSR bundle
 // to a byte-based raw CSR bundle
 func (c *CSRBundle) ToParsedCSRBundle() (*ParsedCSRBundle, error) {
@ -271,10 +318,10 @@ func (c *CSRBundle) ToParsedCSRBundle() (*ParsedCSRBundle, error) {
 		}
 		result.PrivateKeyBytes = pemBlock.Bytes

-		switch c.PrivateKeyType {
-		case "ec":
+		switch BlockType(pemBlock.Type) {
+		case ECBlock:
 			result.PrivateKeyType = ECPrivateKey
-		case "rsa":
+		case PKCS1Block:
 			result.PrivateKeyType = RSAPrivateKey
 		default:
 			// Try to figure it out and correct
@ -373,7 +420,7 @@ func (p *ParsedCSRBundle) getSigner() (crypto.Signer, error) {
 }

 // SetParsedPrivateKey sets the private key parameters on the bundle
-func (p *ParsedCSRBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType int, privateKeyBytes []byte) {
+func (p *ParsedCSRBundle) SetParsedPrivateKey(privateKey crypto.Signer, privateKeyType PrivateKeyType, privateKeyBytes []byte) {
 	p.PrivateKey = privateKey
 	p.PrivateKeyType = privateKeyType
 	p.PrivateKeyBytes = privateKeyBytes